updater: namespace and split Ubuntu/RHEL vulnerabilities

quay · Feb 24, 2016 · 99de759 · 99de759
1 parent 82175dc
commit 99de759
Show file tree

Hide file tree

Showing 5 changed files with 98 additions and 38 deletions.
diff --git a/updater/fetchers.go b/updater/fetchers.go
@@ -49,3 +49,38 @@ func RegisterFetcher(name string, f Fetcher) {
 
 	fetchers[name] = f
 }
+
+// DoVulnerabilityNamespacing is an helper function for fetchers.
+//
+// It takes a Vulnerability that doesn't have a Namespace and split it into
+// potentially multiple vulnerabilities that have a Namespace and only contains the FixedIn
+// FeatureVersions corresponding to their Namespace.
+//
+// It helps simplifying the fetchers that share the same metadata about a Vulnerability regardless
+// of their actual namespace (ie. same vulnerability information for every version of a distro).
+func DoVulnerabilityNamespacing(v database.Vulnerability) []database.Vulnerability {
+	vulnerabilitiesMap := make(map[string]*database.Vulnerability)
+
+	featureVersions := v.FixedIn
+	v.FixedIn = []database.FeatureVersion{}
+
+	for _, fv := range featureVersions {
+		if vulnerability, ok := vulnerabilitiesMap[fv.Feature.Namespace.Name]; !ok {
+			newVulnerability := v
+			newVulnerability.Namespace.Name = fv.Feature.Namespace.Name
+			newVulnerability.FixedIn = []database.FeatureVersion{fv}
+
+			vulnerabilitiesMap[fv.Feature.Namespace.Name] = &newVulnerability
+		} else {
+			vulnerability.FixedIn = append(vulnerability.FixedIn, fv)
+		}
+	}
+
+	// Convert map into a slice.
+	var vulnerabilities []database.Vulnerability
+	for _, vulnerability := range vulnerabilitiesMap {
+		vulnerabilities = append(vulnerabilities, *vulnerability)
+	}
+
+	return vulnerabilities
+}
diff --git a/updater/fetchers/fetchers.go b/updater/fetchers/fetchers.go
diff --git a/updater/fetchers/rhel/rhel.go b/updater/fetchers/rhel/rhel.go
@@ -140,8 +140,10 @@ func (f *RHELFetcher) FetchUpdate(datastore database.Datastore) (resp updater.Fe
 			return resp, err
 		}
 
-		// Collect vulnerabilities.
-		resp.Vulnerabilities = append(resp.Vulnerabilities, vs...)
+		// Collect vulnerabilities, splitting them by Namespaces.
+		for _, v := range vs {
+			resp.Vulnerabilities = append(resp.Vulnerabilities, updater.DoVulnerabilityNamespacing(v)...)
+		}
 	}
 
 	// Set the flag if we found anything.

diff --git a/updater/fetchers/ubuntu/ubuntu.go b/updater/fetchers/ubuntu/ubuntu.go
@@ -132,23 +132,23 @@ func (fetcher *UbuntuFetcher) FetchUpdate(datastore database.Datastore) (resp up
 		return resp, err
 	}
 
-	// Parse and add the vulnerabilities.
 	for cvePath := range modifiedCVE {
+		// Open the CVE file.
 		file, err := os.Open(repositoryLocalPath + "/" + cvePath)
 		if err != nil {
 			// This can happen when a file is modified and then moved in another
 			// commit.
 			continue
 		}
 
+		// Parse the vulnerability.
 		v, unknownReleases, err := parseUbuntuCVE(file)
 		if err != nil {
 			return resp, err
 		}
 
-		if len(v.FixedIn) > 0 {
-			resp.Vulnerabilities = append(resp.Vulnerabilities, v)
-		}
+		// Add the vulnerability to the response, splitting it by Namespaces.
+		resp.Vulnerabilities = append(resp.Vulnerabilities, updater.DoVulnerabilityNamespacing(v)...)
 
 		// Log any unknown releases.
 		for k := range unknownReleases {

diff --git a/updater/fetchers_test.go b/updater/fetchers_test.go
@@ -0,0 +1,55 @@
+package updater
+
+import (
+	"testing"
+
+	"github.com/coreos/clair/database"
+	"github.com/coreos/clair/utils/types"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDoVulnerabilityNamespacing(t *testing.T) {
+	fv1 := database.FeatureVersion{
+		Feature: database.Feature{
+			Namespace: database.Namespace{Name: "Namespace1"},
+			Name:      "Feature1",
+		},
+		Version: types.NewVersionUnsafe("0.1"),
+	}
+
+	fv2 := database.FeatureVersion{
+		Feature: database.Feature{
+			Namespace: database.Namespace{Name: "Namespace2"},
+			Name:      "Feature1",
+		},
+		Version: types.NewVersionUnsafe("0.2"),
+	}
+
+	fv3 := database.FeatureVersion{
+		Feature: database.Feature{
+			Namespace: database.Namespace{Name: "Namespace2"},
+			Name:      "Feature2",
+		},
+		Version: types.NewVersionUnsafe("0.3"),
+	}
+
+	vulnerability := database.Vulnerability{
+		Name:    "DoVulnerabilityNamespacing",
+		FixedIn: []database.FeatureVersion{fv1, fv2, fv3},
+	}
+
+	vulnerabilities := DoVulnerabilityNamespacing(vulnerability)
+	for _, vulnerability := range vulnerabilities {
+		switch vulnerability.Namespace.Name {
+		case fv1.Feature.Namespace.Name:
+			assert.Len(t, vulnerability.FixedIn, 1)
+			assert.Contains(t, vulnerability.FixedIn, fv1)
+		case fv2.Feature.Namespace.Name:
+			assert.Len(t, vulnerability.FixedIn, 2)
+			assert.Contains(t, vulnerability.FixedIn, fv2)
+			assert.Contains(t, vulnerability.FixedIn, fv3)
+		default:
+			t.Errorf("Should not have a Vulnerability with '%s' as its Namespace.", vulnerability.Namespace.Name)
+		}
+	}
+}